Web Attack From My Websites

starrcade

I was hoping someone can help me with more info. I have several subdomain websites on my hosting account. As of 2 months ago, when I go to one of my website domains, my Norton Anti-Virus instantly sends me a message telling me that it blocked a "Web Attack: Malicious Toolkit Website 9".. the attacking computer name is usually different, but the alert has been the same.

I was looking at my PHP websites (including wordpress sites) and noticed several PHP files were changed on the same date/time (on a day I never accessed my account). The changed file names on all of my PHP sites were the same (such as "index.php" and that file name could be multiple folders). When I reviewed the files, it appears that a new line of code was injected at the very end of the PHP file (such as after the "/html" tag). I added the code from one file down below.

I changed all my passwords and deleted the line of injected code from all the changed php files last week. About 2 days ago, the code has appeared again at the end of the same PHP files.

Does anyone know how this is happening? Is there anything I can do to prevent code from being injected? I looked at the FTP log for this month, and the only IP's that show up belong to me. I'm not sure how multiple sites on my account seem to have this code injected all at the same time, all in the same file names.

Any help would be appreciated since I am not an expert with this. My message is too long, so I will post the long line of code under this message.

ssystems

If you're code is the same. A single script may bulk process it.

starrcade

When you say my code is the same.. do you mean my website code? I have several different website domains (with different php code; Wordpress site isn't the same as one of my other php sites). All of my php sites have been hit, which are all under 1 master hosting account.

If you mean the injected code is the same.. it does look similar. The code is too long to verify if it is the exact same or not, as you can above.

Then I made a text file called "index_error.php" and wrote "error" in it. Any thoughts, or other suggestions?

starrcade

I added the code above to my htaccess, and I spent the last 2 days deleting all of the injected code (see above) in the php files on my 4 domains. I looked at my php files tonight, and the injected code is back in all of the same php files (on all 4 domains).

Any thoughts of ideas?

ssystems

Are there any other site affected in that server? I mean how many site you have there? Are all of them affected. Try to put a site there just a simple 1 with just index.php and nothing else. See if that get's affected as well.

Next you'll see the timestamp the files were modified. Compare it with the access logs and see if it actually came from a web request.

Next did you follow my suggestion about checking the file permissions and setting it to the minimum?

Next are there any cron jobs running? Check if any of them is doing this. (If you have enough credentials)

Next are you hosted by those fly by night companies? "Sometimes" it's the cost of the more expensive well established ones will just pay for itself.

Try these first then get back to us either way.

luisafonso

Hi,
have you managed to get rid of this problem?
I have the same problem and I am driving nuts trying to figure it out.
Thanks,
Luis